Large fines are being handed out all the time to firms that breach data protection laws. Here’s what you need to know so your company is not penalised.

Share this Blog post

Companies and organisations are legally obliged to handle and store the data they work with relating to customers, clients or anyone else in a certain way — and if they don't follow the rules, they can face steep fines. It can seem like there's a growing number of data compliance standards that UK firms have to follow. In this post, we'll look at the main standards and what you have to do to avoid falling foul of the law and being penalised. 

The Data Protection Act 2018

The Data Protection Act 2018 (DPA) sets out "data protection principles" that all companies, organisations and the government must follow when using personal information. These stringent rules are based on the EU's General Data Protection Regulation, which the UK implemented until they combined them with the DPA. There are some differences, however, relating to data usage by law enforcement and the age at which minors can consent to their data being used. 

To comply with the Data Protection Act, entities can only use personal data in a fair and transparent way. This information can only be used for a specific intended purpose — and not for something else that the person who gave their data might not be aware of. All personal data stored by companies and organisations has to be kept up to date, so it's accurate at all times. It can only be stored for a certain period, which is the length of time required to use it. 

Maximum fine for breach of the Data Protection Act 2018: £500,000.

General Data Protection Regulation (GDPR)

GDPR is the strictest legislation covering personal data in the world. Although the UK has left the EU, most of what's in the General Data Protection Regulation (GDPR) remains enshrined in law, forming the body of the Data Protection Act 2018. GDPR doesn't just apply to the UK and wider EU members, but the entire world — anyone outside the EU's jurisdiction doing business with a member state is subject to its terms. It came into effect in May 2018 to deal with the popularity of cloud services among firms to store and use personal data, and breaches of security that allow hackers to steal information. 

GDPR stems from the 1950 European Convention on Human Rights that says “Everyone has the right to respect for his private and family life, his home and his correspondence”. At the time, the EU admitted that complying with GDPR would be a "daunting prospect", especially for small and medium-sized firms. So what does it cover?

GDPR states that processing personal information relating to anyone in the EU should be:

  • Done in a fair, transparent and lawful manner.
  • Limited, in that the data can only be used for a specific purpose and one conveyed to the person whose data is to be used.
  • Accurate and updated as necessary.
  • Stored for only as long as it's needed.
  • Confidential — including when the personal information is being used and stored. This can involve encryption methods.
  • Accountable, meaning the holder of the data must be able to demonstrate they meet all of these requirements.

Maximum fine for breach of the Data Protection Act 2018: €20 million or 4% of global revenue — whichever is higher. 

Apart from these two sets of robust legislation covering personal data usage in the UK, what other regulations are there?

Companies operating in the UK are also subject to the Privacy and Electronic Communications Regulations (PECR) governing phone calls, emails and texts for marketing purposes, as well as cookies placed on websites. The regulations came into force in 2003 and are also based on EU legislation. They have requirements for keeping communications secure, customer privacy and itemised billing.  

Financial firms will additionally have to comply with the Basel Accords (Basel II & III) on banking supervision. Then there's the Payment Card Industry Data Security Standard, which deals with protecting the personal data of cardholders as a way to help reduce card fraud. 

Need help with data compliance standards, so your company is not hit with a big fine? Talk to the experts at ITRM today.  

Share this Blog post

Related Articles

Protect Your Mission: The Importance of Cyber Security for Charities

Protect Your Mission: The Importance of Cyber Security for Charities

In this blog, explore the current cyber threat landscape, why charitable organisations are at risk and how to protect your charity/not-for-profit so you can continue your mission...

30th May 2024
Cyber Security: Identifying the level of investment required

Cyber Security: Identifying the level of investment required

Determining the level of investment in cyber security can be challenging as the cyber threat landscape continually expands. We explore the different factors to consider when investing in cyber security solutions...

8th May 2024
Visit our blog for more articles like these

Your privacy

By clicking “Accept all cookies”, you agree ITRM can store cookies on your device and disclose information in accordance with our Cookie Policy.

Cookie Settings

When you visit any of our websites, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and manage your preferences. Please note, blocking some types of cookies may impact your experience of the site and the services we are able to offer.